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REMARKS 

The Office Action dated July 13, 2009, has been received 
and carefully considered. In this response, claim 1 has been 
amended. No new matter has been added. Entry of the amendments 
to claim 1 is respectfully requested. Reconsideration of the 
current rejections in the present application is also 
respectfully requested based on the following remarks. 1 

I . THE § 1.131 AFFIDAVIT SHOULD BE ACCEPTED 

Applicant filed an Affidavit under 37 C.F.R. § 1.131 with 
the March 26, 2009 Response. The Affidavit showed conception 
before the filing date of the Blake reference, cited below. In 
response, the Examiner asserts that the Affidavit is 
"ineffective to overcome the Blake reference." Office Action, 
page 2. The Examiner noted that "Applicant has submitted a 
declaration asserting diligence, but many of the statements are 
ambiguous such as "meetings" and "emails discussing 
development." These statements are insufficient to show due 

1 As Applicant's remarks with respect to the Examiner's rejections are 
sufficient to overcome these rejections, Applicant's silence as to assertions 
made by the Examiner in the Office Action or certain requirements that may be 
applicable to such rejections (e.g., assertions regarding dependent claims, 
whether a reference constitutes prior art, whether references are legally 
combinable for obviousness purposes) is not a concession by Applicant that 
such assertions are accurate or such requirements have been met, and 
Applicant reserves the right to analyze and dispute such in the future. 
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diligence." Office Action, page 2. 

Applicant respectfully disagrees. Applicant notes that the 
declaration includes as an attachment a detailed functional 
requirements document. Applicant also notes that paragraph 5 of 
the declaration outlines with detail, including recipients and 
dates, communications regarding the subject matter of the 
application. Based on this detailed description, Applicants 
respectfully submit that the declaration should be accepted, and 
that the Blake reference should be withdrawn. 

In further support of the filed declaration, Applicant 
respectfully submits copies of the documents listed in paragraph 
5, subsections a-i. The documents are submitted as exhibits to 
this Response, and the Exhibit letter matches the subsection of 
paragraph 5 (i.e., Exhibit A includes the materials referenced 
in paragraph 5, subsection a, etc.) Applicant respectfully 
submits that the attachments show sufficient evidence of 
conception, diligence, and reduction to practice, and so the 
declaration submitted under 37 C.F.R. § 1.131 should be 
accepted. 
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II . THE OBVIOUSNESS REJECTION OF CLAIMS 1-4, 7, 8, 13-15, 17- 
20, AND 21-24 

On pages 3-5 of the Office Action, claims 1-4, 7, 15, 18- 
20, 23, and 24 were rejected under 35 U.S.C. § 103(a) as being 
unpatentable over U.S. Patent Application Publication No. 
2004/0128543 to Blake ("Blake") in view of U.S. Patent 
Application Publication No. 2004/0139128 to Becker ("Becker"). 
This rejection is hereby respectfully traversed. 

On page 5 of the Office Action, claim 6 was rejected under 
35 U.S.C. § 103(a) as being unpatentable over Blake in view of 
U.S. Patent Application Publication No. 2004/0078592 to Fagone 
("Fagone"). This rejection is hereby respectfully traversed. 
Applicant notes that claim 6 was respectfully canceled without 
prejudice in a Response dated November 14, 2008, and so 
Applicant respectfully requests that this rejection be 
withdrawn. 

On pages 5-6 of the Office Action, claim 8 was rejected 
under 35 U.S.C. § 103(a) as being unpatentable over Blake in 
view of Becker in view of Schlereth "Analysis of a Compromised 
Honeypot on a Cable Modem" ("Schlereth"). This rejection is 
hereby respectfully traversed. 

On pages 6-7 of the Office Action, claims 13 and 14 were 
rejected under 35 U.S.C. § 103(a) as being unpatentable over 
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Blake in view of Becker in view of U.S. Patent Application 
Publication No. 2003/0110396 to Lewis ("Lewis") . This rejection 
is hereby respectfully traversed. 

On page 7 of the Office Action, claim 17 was rejected under 
35 U.S.C. § 103(a) as being unpatentable over Blake in view of 
Becker in view of INFOCUS : The Honeynet Project ("INFOCUS"). 
This rejection is hereby respectfully traversed. 

On pages 7-8 of the Office Action, claims 21 and 22 were 
rejected under 35 U.S.C. § 103(a) as being unpatentable over 
Blake in view of Becker in view of U.S. Patent Application 
Publication No. 2005/01084156 to Turk ("Turk"). This rejection 
is hereby respectfully traversed. 

Under 35 U.S.C. § 103, the Patent Office bears the burden 
of establishing a prima facie case of obviousness. In re Fine , 
837 F.2d 1071, 1074 (Fed. Cir. 1988). There are four separate 
factual inquiries to consider in making an obviousness 
determination: (1) the scope and content of the prior art; (2) 
the level of ordinary skill in the field of the invention; (3) 
the differences between the claimed invention and the prior art; 
and (4) the existence of any objective evidence, or "secondary 
considerations," of non- obviousness . Graham v. John Deere Co. , 
383 U.S. 1, 17-18 (1966); see also KSR Int'l Co. v. Teleflex 
Inc . , 127 S. Ct. 1727 (2007). An "expansive and flexible 
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approach" should be applied when determining obviousness based 
on a combination of prior art references. KSR , 127 S. Ct . at 
1739. However, a claimed invention combining multiple known 
elements is not rendered obvious simply because each element was 
known independently in the prior art. Id. at 1741. Rather, 
there must still be some "reason that would have prompted" a 
person of ordinary skill in the art to combine the elements in 
the specific way that he or she did. Id. ; In re Icon Health & 
Fitness, Inc. , 496 F.3d 1374, 1380 (Fed. Cir. 2007). Also, 
modification of a prior art reference may be obvious only if 
there exists a reason that would have prompted a person of 
ordinary skill to make the change. KSR , 127 S. Ct . at 1740-41. 

Applicants respectfully submit that the Blake reference 
should be withdrawn for at least the reasons stated above in 
view of the 37 C.F.R. § 1.131 declaration and supporting 
documents. Assuming, arguendo, that the Blake reference is 
prior art, the combination of Blake and Becker is still not 
appropriate . 

The Examiner notes that " [i] t would have been obvious to 
one of ordinary skill in the art to use the image of Becker with 
the redeployment of Blake because it would restore the honeypot 
after a compromise." Office Action, page 4. Applicant 
respectfully notes that the honeypot in Blake is specifically 

13 

68865.001204 EMF_US 2845486W1 



U.S. Patent Application No.: 10/775,764 
Attorney Docket No.: 68865.001204 
Client Reference No.: 200310141608 

designed to "morph." See Blake, Abstract. The honeypot is not 
redeployed "by reinitializing the state of the honey pot to an 
initial state in which the honey pot was in at the time it was 
deployed," as recited in claim 1. The honeypot in Blake is 
expected to morph in order to "change its characteristics to 
entice a malicious user to something that the malicious user 
might consider as more vulnerable, exploitable, and, therefore, 
more interesting." Blake, paragraph [0084]. Paragraph [0036] 
and Figure 3 disclose a "typical" honeypot, and disclose four 
modes of operation: a configuration phase, where the honeypot is 
configured; an emulation phase, where the honeypot is operated 
while information about requests is logged; an analysis phase, 
where the logged information is studied; and a reconfiguration 
phase, where "an administrative user determines whether the 
configuration of the honeypot should be changed." None of these 
steps, however, discloses at least steps to "automatically 
redeploy the honey pot, including by reinitializing the state of 
the honey pot to an initial state in which the honey pot was in 
at the time it was deployed. . . , " as recited in claim 1. 

It would therefore not have been appropriate to modify the 
disclosure of Blake with the Becker reference, as the Blake 
reference discloses a morphing honeypot, and the Becker 
reference is directed to "a system and method of backing up a 
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computer system." Becker, Title. There is no need to redeploy 
a morphing honeypot , as the morphing honeypot is reconfigured. 
See Blake, Figure 6, element 616. 

In view of the foregoing, Applicant respectfully submits 
that claim 1 should be allowable over Blake and Becker. 

Regarding claims 2-4, 7, 15, and 18-20, these claims are 
dependent upon independent claim 1. If an independent claim is 
nonobvious under 35 U.S.C. 103, then any claim depending 
therefrom is nonobvious. In re Fine , 837 F.2d 1071 (Fed. Cir. 
1988) . Thus, since independent claim 1 should be allowable as 
discussed above, claims 2-4, 7, 15, and 18-20 should also be 
allowable at least by virtue of their dependency on independent 
claim 1. Moreover, these claims recite additional features 
which are not disclosed, or even suggested, by the cited 
references taken either alone or in combination. For example, 
claim 19 recites a method "further including saving state 
information associated with the honey pot and wherein saving and 
redeploying occur in parallel." 

Applicant respectfully submits that the aforementioned 
obviousness rejection of claims 6, 8, 13, 14, 17, 21, and 22 has 
become moot in view of the deficiencies of the primary 
references (i.e., Blake and Becker) as discussed above with 
respect to independent claim 1. That is, claims 6, 8, 13, 14, 
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17, 21, and 22 are dependent upon independent claim 1 and thus 
inherently incorporate all of the limitations of independent 
claim 1. Also, the secondary references (i.e., Fagone, 

Schlereth, Lewis, INFOCUS, and Turk) fail to disclose, or even 
suggest, the deficiencies of the primary references as discussed 
above with respect to independent claim 1. Indeed, the Examiner 
does not even assert such. Thus, the combination of the 
secondary references with the primary references also fails to 
disclose, or even suggest, the deficiencies of the primary 
references as discussed above with respect to independent claim 
1. Accordingly, claims 6, 8, 13, 14, 17, 21, and 22 should be 
allowable over the combination of the secondary reference with 
the primary references at least by virtue of their dependency on 
independent claim 1. Moreover, claims 6, 8, 13, 14, 17, 21, and 
22 recite additional features which are not disclosed, or even 
suggested, by the cited references taken either alone or in 
combination . 

Regarding claims 23 and 24, these claims, while of 
different scope than claim 1, recite subject matter related to 
claim 1. Thus, the arguments set forth above with respect to 
claim 1 are equally applicable to claims 23 and 24. 
Accordingly, Applicant respectfully submits that claims 23 and 
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24 should be allowable over Blake and Becker for the same 
reasons as set forth above with respect to claim 1. 

In view of the foregoing, Applicant respectfully requests 
that the aforementioned obviousness rejection of claims 1-4, 7, 
8, 13-15, 17-20, and 21-24 be withdrawn. 

III. CONCLUSION 

In view of the foregoing, Applicant respectfully submits 
that the present application is in condition for allowance, and 
an early indication of the same is courteously solicited. The 
Examiner is respectfully requested to contact the undersigned by 
telephone at the below listed telephone number, in order to 
expedite resolution of any issues and to expedite passage of the 
present application to issue, if any comments, questions, or 
suggestions arise in connection with the present application. 

To the extent necessary, a petition for an extension of 
time under 37 CFR § 1.136 is hereby made. 

Please charge any shortage in fees due in connection with 
the filing of this paper, including extension of time fees, to 
Deposit Account No. 50-0206, and please credit any excess fees 
to the same deposit account. 
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Registration No. 37,063 

TEA : JBB 

Hunton & Williams LLP 
1900 K Street, N.W. 
Washington, D.C. 20006-1109 
Telephone: (202) 955-1500 
Facsimile: (202) 778-2201 

Date: October 13, 2009 
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Goal 



The goal for the honey pot system is to semi-automatically capture malicious code 
samples and detect new attacks. 

Broad Requirements 

The diverse nature of the targets of attack (at the operating system and application level) 
requires that the system be capable of supporting multiple honey pots and multiple 
operating systems, thus permitting the broadest coverage possible. 

The large amount of "background noise" (known malicious code and attacks that are 
continually launched across the Internet) requires that the system be capable of 
recognizing known attacks and known malicious code, thus permitting analysts to focus 
on those incidents that are more likely to result in the capture of unknown malicious code 
or novel attacks. 

The high frequency of known attacks and known malicious code requires that the system 
be capable of automatically detecting an incident, capturing relevant data, and 
reinitializing the honey pot to capture the next incident, thus freeing analysts from this 
repetitive task that may occur at any time of day. 

Virtual Honey Pot 

Given these requirements and after performing some research I recommend a virtual 
honey pot approach. Virtual honey pots execute as a process within a normal host. 

A virtual honey pot approach will permit us to run multiple honey pots in a single host, 
making deployment and management easier, and permitting us to somewhat fulfill the 
first requirement. 

It is not uncommon for the host the executing the virtual honey pot to have access to the 
virtual honey pot's environment (e.g. its file system), thus making automated analysis 
easier, thus permitting us to somewhat fulfill the second requirement. 

In addition, some virtualization systems support API's to control the environment, for 
instances to start-up or shutdown a virtual host, thus permitting us to fulfill the third 
requirement. 

Furthermore, some virtualization systems store their state in regular file, which makes 
management and automation of the system easier, and permit us to easily archive 
incidents for latter analysis. 



VMware 



The only real competitor in the area of virtual operating environments is VMware. The 
offer three products: VMware Workstation, VMware GSX Server, and VMware ESX 
Server. 

After reviewing them VMware GSX Server best fits our needs: 

• It supports multiple concurrent virtual hosts. 

• It supports a broad range of guest operating systems: Windows .NET, Windows 
2000/NT, Window Me, Window 9x, WfW, Windows 3.1, MS-DOS, Linux, and 
FreeBSD. It may also be possible to install other x86-based operating systems 
such as Solaris, although they are not officially supported. 

• It supplies API that permit to programmatically control each virtual host 
individually. 

• Its state, such as the virtual host file system and suspended virtual host memory, 
are stored in files. 

• It supports suspending a virtual host, instead of simply shutting it down. 



In addition, the Linux version of VMware GSX Server permits the mounting of the 
virtual disks as a regular file system (so long as the Linux kernel supports the file system 
type). 

The System 

I envision a system running VMware GSX Server with a number of virtual honey pots 
running different operating systems and applications. The system would automatically 
detect that a virtual honey pot has been breached by monitoring outgoing network traffic 
from the virtual honey pot. When the system determines a virtual honey pot has been 
breached it would suspect the virtual honey pot and copy its state to an analysis area. It 
would then reinitialize the virtual honey pot so that it can immediately become available 
for new incidents. After this, the system can aggregate the data collected by or against the 
virtual honey pot, such as packet dumps and IDS events. It can perform further analysis 
by mounting the virtual drive and flagging any file changes. It can also scan the virtual 
drive for known malicious code. Finally, it dumps all the information into a database, 
which a front-end makes available to analysis for browsing. Analysis can choose to 
discard an incidents state, archive it, or perform further analysis. 

Timeline 

I would recommend we build the system in at least two phases. 



Phase 1: 



This phase emphasizes building the core technology, and collecting and analyzing data in 
a manner that is independent of the virtual honey pot's operating system or application. 

• Build the virtual honey pot hosting environment 

o Setup virtual honey pots. 

o Write monitoring and control scripts. 

■ Monitor outgoing virtual honey pot traffic. 

• Analysis: 

o Detect file system changes 

■ This includes sample collection (new files) 
o Detect known malicious code in the fde system 

o Collect network traffic 
o Detect known attacks 

■ Run an IDS 



This phase emphasizes augmenting the technology by collecting and analyzing data that 
is dependent on the virtual honey pot's operating system and/or application. 

Platform specific monitoring: 

• Syslog / Even Log 

• Deleted files 

• Registry changes 

• API tracing 

• Terminal monitoring 

o Keylogger 
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SendTo: CN=Elias Levy/ou=Redwood city/ou=Cal/o=SYMANTEC@SYMANTEC 
CopyTo : mvel zenOsecu ri tyf ocus . com 
BlindCopyTo: 

Subject: Re: DeepSight AQS 
$sealData: 

EnterSendTo: CN=Elias Levy/OU=Redwood city/OU=Cal/o=SYMANTEC 
EnterCopyTo: Mario van velzen 
EnterBlindCopyTo: 
$seal : 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessageID: <OFA62FCDFF.1822c93B-ON87256c9C.007Bl6DE-87256c9D.0004D561(aLocalDomain> 
iNetFrom: craig_davi son@symantec. com 
PostedDate: 12/27/2002 05:52:47 PM 
Recipients: CN=Elias Levy/OU=Redwood 

ci ty/OU=cal /o=SYMANTEC@symantec , mvel zen@secu n tyf ocus . com 
SupdatedBy: CN=craig Davi son/OU=Calgary/OU=Al berta/0=SYMANTEC 
Mail Options: 0 
saveoptions: 1 
$Links: 

$Al tNameLanguageTags : 
Sstoragecc: 1,. 
$StorageTo: 1,. 
SstorageBcc: 
InetCopyTo: 

InetSendTo: elias_levy@symantec.com, . 

AltCopyTo: 

InetBlindCopyTo: 

InheritedReplyTo: 

inheritedFrom: CN=Craig Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
inheri tedAl t From : CN=Crai g Davi son/OU=Cal gary/OU=Al be rta/ o=SYMANTEC 
inheri tedFromDomai n : 

From: CN=Craig Davi son/OU=Cal gary/ ou=Al berta/ o=SYMANTEC 
AltFrom: CN=craig Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
Logo: stdNotesLtrO 
Sign: 0 
Encrypt: 

DefaultMail Saveoptions: 1 
Query_String: 

Principal: CN=craig Davison/ou=Calgary/OU=Alberta/0=SYMANTEC 
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SendTo: CN=Elias Levy/OU=Redwood 

ci ty/ou=Cal /o=SYMANTEC@symantec , mvel zen@secu n tyf ocus . com 

CopyTo: 

BlindCopyTo: 

Subject: Re: DeepSight AQS . 
EnterSendTo: CN=Elias Levy/OU=Redwood City/OU=Cal/0=SYMANTEC,Mano van velzen 
EntercopyTo: 
EnterBlindCopyTo: 

Mario suggested that I combine the fields common to the tables describing 
incoming data stored as files (File, CapturedPackets , DecryptedTraf f i c) 
into a single table, and have separate tables only for type-specific 
fields like permissions for Files and source/destination addresses for 
DecryptedTraffic. 

The first advantage of this is it would cut down on the number of database 
queries we'd need to get a unified list of incoming data. As well, new 
types of data would be easier to integrate with our code. 

Also, we could separate the connection information from the 
DecryptedTraffic table into an intrusionConnection table. Rows from this 
table could be joined to CapturedPackets l:n for multiple protocols/source 
and destination ports, and joined to DecryptedTraffic 1:1. 

we'll call the common table Data: 

- ID (unique) 

- Data (points to a file, say /var/dionaea/data/<randotn strmg>) 

- Date/time captured or uploaded 

- MD5/other hash 

- DataTypes ID 

DataTypes: 

- ID (unique) r< _. „ 

- Type (table names: "File", "CapturedPackets", "DecryptedTraffic etc.) 

Altered File, CapturedPackets, DecryptedTraffic tables: 

Fi 1 e : 

- ID (unique) 

- original Filename 

- Created, Modified, Accessed date/times 

- captured or uploaded times 

- FileTypes ID 

- permissions 

CapturedPackets: 

- ID (unique) 

DecryptedTraffic: 

- ID (unique) . . , 

- information about the original SSL traffic 

SSL/TLS version 

intrusionConnection: 

- Source IP 

- Destination IP 

- source Port for tcp/udp 

- Dest Port for tcp/udp 

- ICMP Type 

- protocol 



Craig Davison 
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2002-12-18 07:31 PM 

To: Eli as Levy/Redwood ci ty/ Cal / SYMANTEC 
cc: mvelzen@securityfocus.com 
Subject: Re: DeepSight AQS 

I was talking with Mario a few weeks ago and this idea came up during our 
discussion: 

These tables are by no means comprehensive. 

First, a FileTypes table: 

- ID (unique) 

- Free text ("ELF binary", "Win32 DLL", etc.) 

We would store files in a File table: 

- ID (unique) 

- original Filename 

- Data (points to a file, say /var/di onaea/f i 1 es/<random stnng>) 

- CRC/hash 

- created, Modified, Accessed date/times 

- captured or uploaded times 

- FileTypes ID 

- permissions 

Packet captures in a CapturedPackets table: 

- ID (unique) 

- Data (points to a file, say /var/di onaea/packetcap/<random stnng>) 

- Date/time captured or uploaded 

Decrypted traffic in a DecryptedTraff i c table: 

- ID (unique) , , . 

- Data (points to a file, say /var/di onaea/traffic/< random stnng>) 

- Date/time captured or uploaded 

- Source IP 

- Destination IP 

- source Port 

- Dest Port 

- Protocol 

- information about the original SSL traffic 
SSL/TLS version 

we might want to store some fields in a free-text XML field because 
there y s little value in making full-fledged table columns when we won't be 
indexing or searching on those fields. I could go either way. 

Each File row would have a one-to-one relationship with an incident row: 

- ID (unique) 

- Type {packet capture, decrypted traffic, file} 

- captured or uploaded 

- File or Traffic table ID 

- File type 

- Flexible XML text, which would include 

the DIS verdict } the DIS verdict is File-specific but it was mentioned 
that 

the oracle verdict } changes are being made to DIS to accept captured 
packets 

we'd have an lntrusionAttempt_lncidents table comprised of multiple 
incidents: 

- intrusionAttempt ID 

- Incident ID 

An IntrusionAttempt table: 
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- intrusionAttempt ID (unique) 

- Flexible XML text 
the analysts' comments 

resolution of the incident -> is it known, a duplicate, or has a new 
report been written about it 

perhaps an intruders table: 

- intrusionAttempt ID 

- IP address 

- XML 

nmap results 
OS detected 

Perhaps a References table: 

- intrusionAttempt ID 

- ReferenceType ID 

- Reference ID 

ReferenceTypes : 

- ReferenceType ID (unique) . 

- Free text ("BID", "MCID", "ARIS Report", "Another intrusionAttempt ...) 

intrusionAttempts are built by the Honey Pot Monitoring & Management 
(files and traffic recovered from an intrusion will be combined to form an 
intrusionAttempt), or manually by the analyst. . 
We're assuming that the UI will allow an analyst to manually submit a file 
acquired through other means (acquired in the wild, or given to us by a 
partner) to take advantage of the automatic type checking, oracle 
checking, and dis uploads. 



Eli as Levy 
2002-12-13 01:11 PM 

to: Mario van vel zen/cal gary/Al berta/SYMANTEC@SYMANTEC 
cc: Craig Davison/Cal gary/Al berta/SYMANTEC@SYMANTEC 
Subject: Re: DeepSight AQS 

Reqarding the database, how much data to we want to store in it? in an 
ideal world any information we may learn from the intrusion would be 
stored in the database. Such things as what foreign IPs where seen, what 
OS did the fingerprinting tool guess, what attacks did Snort see, what 
files where modified, removed, or added, etc. But all that means we need 
to design tables for the information and create tools to parse the output 
of Snort and other such tools and insert it into the database. 

Thoughts? 

Eli as Levy 

Symantec 

Alea jacta est 



Mario van velzen 
12/12/2002 02:28 PM 

To: Eli as Levy/Redwood Ci ty/ Cal / symantec@SYMANTEC 
cc: Craig Davi son/Cal gary/Al berta/SYMANTEC@SYMANTEC 
Subject: DeepSight AQS 
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Hi Eli as, 

At what stage is the AQS FS documentation at? could you send us the latest 
copy? 

And apart from the FS, what have you worked on in terms of code and 
interface? Let me know. 

Cheers , 

Mario van velzen, mario_vanvelzen@symantec.com 
DeepSight Threat Analyst Manager, Symantec 



principal: CN=Craig Davi son/OU=Calgary/OU=Alberta/0=SYMANTEC 
$langprincipal : 

$altprincipal : CN=Ben Baker/OU=Eugene/OU=oregon/0=SYMANTEC 
inetSendTo: 

inetCopyTo : el i as_l evyOsymantec . com 

inetBlindCopyTo: 

$StorageTo: 

$StorageCc: 1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessagelD: <OF6ElC7ACC.DA3AB57E-ON87256c9F.0060142B-87256c9F.00686EE5@LocalDomain> 
iNetFrom : crai g_davi son@symantec . com 
PostedDate: 12/30/2002 12:00:41 PM 

Recipients: mvelzen@securityfocus.com,CN=Elias Levy/ou=Redwood 
ci ty/ou=cal /o=symantec@symantec 

SupdatedBy: CN=Craig Davi son/OU=Cal gary/ou=Al berta/0=SYMANTEC 
Mail Options: 0 
SaveOptions: 1 

From: CN=Craig Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
AltFrom: CN=Craig Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Sign: 0 
Encrypt : 

DefaultMail SaveOptions: 1 
Query_String: 

SendTo: mvel zen@securi tyfocus . com 

CopyTo: CN=Elias Levy/OU=Redwood ci ty/ ou=Cal / o=symantec@Symantec 
b! i ndCopyTo : 

Subject: The FS section 6.1.5 you asked me to comment on 
EnterSendTo: Mario van velzen 

EnterCopyTo: CN=Elias Levy/0U=Redwood city/OU=Cal/0=SYMANTEC 
EnterBlindCopyTo: 

I think Eli as has already laid out the best way to do this. He mentions 
the specific regui rements we have: 

we have to capture packets at two places per honeypot (incoming on the 
single external interface, and outgoing on the Honeypot interface), and 
produce a single file with data captured from both places. 

None of the tools based on libpcap (ie, snort, which is very similar to 
tcpdump in capture mode) do this for us. They write to a single file, or a 
single file per interface if we run multiple instances, but that's not 
what we want. We could use libpcap, but not without using multiple threads 
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or processes, which: 

- is probably more work than just writing the capture code ourselves by 
opening a kernel Packet Socket . 

- Does not fit with the model Elias has used in the FS of multiple small 
utilities running in a single process 

we also want to tie this work together with the rest of the project, ie. 
have it start and stop automatically when we want to start monitoring a 
Honeypot. Plus, we can still use libpcap to do the "hard" part (formatting 
the packet output in the tcpdump format, and making sure it conforms to 
the format) . 

Still, there is an alternative to Elias' method, if you prefer that we use 
the tcpdump/snort utilities directly without touching libpcap (except to 
parse tcpdump logs), we could have one instance per interface (1 external 
+ n Honeypot interfaces) logging to different files, and we could split 
the output from there by doing some text parsing. I think this method is 
uglier in that sense, but not necessarily more work, we'd just need to 
make sure that the copies of tcpdump/snort stayed running (perhaps have a 
watchdog process) . 

Basically, the capture would "start" for a Honeypot by looking at two 
files - the "external" tcpdump log, and the tcpdump log for the Honeypot. 
Our code would combine: 

- all traffic from the Honeypot tcpdump log ("outbound from the Honeypot ) 

- traffic destined for the Honeypot 's IP address, MAC address and 
broadcast traffic from the external tcpdump log ("inbound to the Honeypot") 

as I said, though, I prefer the solution already in the FS. 



$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessageID : <OFClE08062 . 923584D8-ON87256CAO . 0002783F-87256CA0 . 00029FF9@Local Domai n> 
iNetFrom: craig_davi son@symantec.com 
PostedDate: 12/30/2002 05:28:43 PM 
Reci pi ents : mvel zen@securi tyfocus . com 

SupdatedBy: CN=craig Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
Mail Options: 0 
SaveOptions: 1 
$Links: 

$Al tNameLanguageTags : 
$StorageCc: 1,. 
$StorageTo: 1 
$StorageBcc: 

inetCopyTo : el i as_l evyOsymantec . com , . 

inetSendTo : el i as_l evyOsymantec . com 

AltCopyTo: 

inetBlindCopyTo: 

inheritedReplyTo: 

inheritedFrom: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
inheritedAltFrom: CN=Elias Levy/OU=Redwood/ou=Cal/o=SYMANTEC 
inheri tedFromDomai n : 

From: CN=Craig Davi son/OU=Cal gary/ ou=Al berta/ o=SYMANTEC 
AltFrom: CN=craig Davi son/OU=Cal gary/0U=Al berta/0=SYMANTEC 
Logo: stdNotesLtrO 
Sign: 0 
Encrypt: 

DefaultMail SaveOptions: 1 
Query_String: 

Principal: CN=Craig Davi son/ou=Cal gary/ ou=Al berta/ o=SYMANTEC 
sendTo: CN=Elias Levy/ou=Redwood ci ty/ ou=cal / o=symantec@symantec 
copyTo: CN=Elias Levy/OU=Redwood 
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Ci ty/OU=Cal /o=SYMANTEC@symantec , mvel zen@securi tyf ocus . com 
Bl i ndCopyTo : 

Subject: Re: The FS section 6.1.5 you asked me to comment on 
$SealData: 

EnterSendTo: CN=Elias Levy/OU=Redwood/OU=cal/0=SYMANTEC 
EnterCopyTo: CN=Elias Levy/OU=Redwood 

Ci ty/OU=Cal /o=SYMANTEC@symantec , mvel zen@securi tyf ocus . com 

EnterBlindCopyTo: 

$seal : 

□ 
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5.d.txt 

Principal: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
$langprincipal : 

$altprincipal : CN=Ben Baker/OU=Eugene/ou=oregon/o=SYMANTEC 
$AutoSpell: 1 
$FILE : 

AltFrom: CN=Elias Levy/ou=Redwood/OU=Cal/o=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Encrypt: 1 

Defau ItMailsaveOptions: 1 

Query_String: 

Subject: Draft AQS FS 

sendTo: CN=Mario van velzen/ou=calgary/ou=Alberta/o=SYMANTEC@SYMANTEC,CN=craig 
Davi son/ou=cal qary/ou=Al be r ta/ o=SYMANTEC@symantec 

CopyTo: CN=OMver Friedrichs/ou=Redwood Ci ty/ ou=Cal / o=SYMANTEC@SYMANTEC , CN=Al f red 
Huger/OU=Cal gary/OU=Al berta/0=SYMANTEC@SYMANTEC 

inetSendTo : mari o_vanvel zen@symantec . com , crai g_davi sonOsymantec . com 
inetCopyTo : ol i ver_f ri ed ri chs@symantec . com , al f red_huge r@symantec . com 
$StorageTo: 1,1 
Sstoragecc: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
iNetFrom : el i as_l evy@symantec . com 

$MessageID: <OFBD5A3A28.9B434112-ON88256C9F.00630Bl4-88256C9F.00634042(aLocalDomain> 

PostedDate: 12/30/2002 10:57:34 AM 

$Signature: 

Sign: 0 

$Seal : 

RoutingState: 
$UpdatedBy: CN=Elias 

Levy/OU=RedwOOd/OU=Cal/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Orig: BD5A3A289B43411288256C9F00630B14 
Categories: 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 12/30/2002 10:57:39 AM-12/30/2002 10:57:39 AM 
$MsgTrackFlags: 0 

DeliveredDate: 12/30/2002 10:57:39 AM 

This is the latest draft. There is little change from the last one since I 
been working on the mockup web interface. I will be consolidating the 
event tables into a single one. 



Eli as Levy 

Symantec 

Alea jacta est 
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5.e.ics 

BEGIN : VCALENDAR 
VERSION: 2.0 

PRODID: -//Apple lnc.//ical 4.0//EN 
CALSCALE: GREGORIAN 
BEGIN :VTIMEZONE 
tzid: US/Pacific 

BEGIN: STANDARD 
TZOFFSETFROM: -0700 

RRULE :FREQ=YEARLY;UNTIL=20061029T090000Z;BYMONTH=10;BYDAY=-lSU 

DTSTART:19621028T020000 

TZNAME : PST 

TZOFFSETTO:-0800 

END: STANDARD 

BEGIN: DAYLIGHT 

TZOFFSETFROM: -0800 

RRULE : FREQ=YEARLY ; UNTIL=20060402Tl00000Z ; BYMONTH=4 ; BYDAY=1SU 

DTSTART: 19870405T020000 

TZNAME: PDT 

TZOFFSETTO:-0700 

END: DAYLIGHT 

BEGIN: DAYLIGHT 

TZOFFSETFROM: -0800 

RRULE : FREQ=YEARLY; BYMONTH=3 ; BYDAY=2SU 

DTSTART: 20070311T020000 

TZNAME: PDT 

TZOFFSETTO:-0700 

END: DAYLIGHT 

BEGIN: STANDARD 

TZOFFSETFROM: -0700 

RRULE : FREQ=YEARLY ; BYMONTH=ll ; BYDAY=lSU 

DTSTART: 20071104T020000 

TZNAME: PST 

TZOFFSETTO:-0800 

END: STANDARD 

END : VTIMEZONE 

BEGIN :VEVENT 

CREATED : 20080324T210223Z 
UID:D15987563 

DTEND ;TZID=US/Paci fi c : 20021231T130000 
TRANS P: OPAQUE 
SUMMARY :AQS meeting 

DTSTART ;TZID=US/Paci f i c : 20021231T100000 

DTSTAMP:20061227T172209Z 

SEQUENCE :0 

END : VEVENT 

END: VCALENDAR 
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5.f .txt 

Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-l.symantec.com (Lotus Domino Release 5.0.11) with SMTP id 

2003010814053070:538370 ; Wed, 8 Jan 2003 14:05:30 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3.0.0.44ccantisp8) with SMTP id 
M2003010813574831688 for <crai g_Davi son@notes . Symantec. com>; wed, 08 Jan 2003 
13:57:48 -0800 . 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003010813575021653 for 

<Craig_Davison@notes. Symantec. com>; wed, 08 Jan 2003 13:57:50 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8 . 12 . 2+Sun/8 . 12 . 2) with SMTP id h08Lvnbl023202 for 

<craig_Davison@symantec.com>; wed, 8 Jan 2003 13:57:50 -0800 (PST) 

Received: (qmail 6701 invoked by uid 1016); 8 Jan 2003 21:48:38 -0000 

Del i vered_To : cd@secu ri tyf ocus . com 

Received: (qmail 6684 invoked by uid 1053); 8 Jan 2003 21:48:37 -0000 

PostedDate: 01/08/2003 02:48:37 PM 

From: Mario van velzen <mvel zen@securi tyf ocus. com> 

SendTo: Craig Davison <cd@securityfocus.com>,<alephl@securityfocus.com> 

Subject: Re: another developer? 

ln_Reply_To: 

<OF5A62444A. 8071D792-ON87256CA8 . 00772260-87256CA8 . 007748A4@symantec . com> 
$MessagelD : <Pi ne. LNX.4.43 . 0301081442210 . 19623-100000@mai 1 . secu ri tyf ocus . com> 
MiME_version: 1.0 , , 

$MiMETrack : itemize by SMTP server on uscu-SMTPiB01-l/GLOBE-ADMiN/SYMANTEC(Rel ease 
5.0.11 I July 24, 2002) at 01/08/2003 02:05:30 PM, MIME-CD by Notes Client on Craig 
Davison/Enterprise(Release 6. 0. 2CF1 | June 9, 2003) at 02/27/2009 12:49:18 PM, MIME-CD 
complete at 02/27/2009 12:49:18 PM 
SMTPOri gi nator : mvel zen@secu ri tyf ocus . com 
RoutingState: 

$UpdatedBy : , CN=USCU-SMTPIB01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
RouteServers: 

CN=USCU-SMTPIB01-l/OU=GLOBE-ADMIN/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMAN 

RouteTimes: 01/08/2003 03:05:30 PM-01/08/2003 03:05:32 PM , 01/08/2003 02:51:06 

PM-01/08/2003 02:51:06 PM 

$Orig: 33ACE5952962212D88256CA800795AAE 

Categories: 

$Revi sions : 

$MsgTrackFlags: 0 

DeliveredDate: 01/08/2003 02:51:06 PM 
Hi there, 

That's not quite the whole story. Further along in the project, there 
might be some additional developers/analysts available for short periods 
of time. 

I have to block off possible sections/parts of the project which could be 
suitable for people with very short/no ramp-up time. Some of this 
(especially the analyst teams) has already been written up in the virtual 
project plan, other stuff I just became aware of. 

in other news: 

I'm going to start a MS Project plan for the project, as the AQS is now 
going to be tracked as a full deliverable, according to all Symantec 
rules. You should see the start of that on Monday. 

we also received some documents regarding the implementation of the 
malicious code oracle within the DIS system. I will forward that to you. 
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Also on Monday, would you be available for a meeting on the IRC server, 
inside the lab? 

Let me know if you have any questions. 

Thanks , 

Mario 

> Ben told me on Monday that another developer (spending all or half of 

thei r 

> time) was being considered for the project. Do either of you have any 
other 

> information about that? 



Page 2 



U.S. Patent Application No. : 10/775,764 
Attorney Docket No.: 68865.001204 
Client Reference No.: 200310141608 



Exhibit G 



68865.001204 EMFJJS 28720180vl 



5-g.txt 

Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-2.symantec.com (Lotus Domino Release 5.0.11) with SMTP id 

2003011511221509:1039549 ; Wed, 15 Dan 2003 11:22:15 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3 .0.0.44ccanti sp8) with SMTP id 
M2003011511253714811 for <Craig_Davison@notes. Symantec. com>; wed, 15 Jan 2003 
11:25:37 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011511253908843 for 

<Craig_Davison@notes. Symantec. com>; wed, 15 Jan 2003 11:25:39 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8.12.2+Sun/8.12.2) with SMTP id hOFJPcbl026441 for 

<craiq_Davison@symantec.com>; wed, 15 Jan 2003 11:25:39 -0800 (PST) 

Received: (qmail 20685 invoked by uid 1016); 15 Jan 2003 19:15:33 -0000 

Del i vered_To : cd@secu ri tyf ocus . com 

Received: (qmail 20677 invoked by uid 1053); 15 Jan 2003 19:15:32 -0000 

PostedDate: 01/15/2003 12:15:32 PM 

From: Mario van Velzen <mvelzen@securityfocus.com> 

SendTo: Craig Davison <cd@securi tyfocus . com> , <al ephl@securi tyfocus . com> 
Subject: email for discussion 

$MessagelD : <Pi ne . LNX . 4 . 43 . 0301151054540. 1254-lOOOOOOmai 1 . secu n tyfocus . com> 
MlME_Version: 1.0 „ „ ; . _ 

$MiMETrack : itemize by SMTP Server on uscu-SMTPiB01-2/GLOBE-ADMiN/SYMANTEC(Rel ease 
5.0.11 I July 24, 2002) at 01/15/2003 11:22:15 AM, MIME-CD by Notes Client on Craig 
Davison/Enterprise(Release 6.0.2CF1I June 9, 2003) at 02/27/2009 12:49:19 pm.mime-CD 
complete at 02/27/2009 12:49:19 PM 
SMTPOri gi nator : mvel zen@securi tyfocus . com 
Routingstate: 

SupdatedBy: ,cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 

RouteServers : „, , , , 

CN=USCU-SMTPIB01-2/OU=GLOBE-ADMIN/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMAN 

RouteTimes: 01/15/2003 12:22:15 PM-01/15/2003 12:22:17 PM, 01/15/2003 12:18:51 

PM-01/15/2003 12:18:52 PM 

$Orig: 0D4B0C47AB3DBAB888256CAF006A6845 

Categories : 

$Revi sions : 

$MsgTrackFlags: 0 

DeliveredDate: 01/15/2003 12:18:52 PM 
Hi there, 

PS: There's a few more points I need to touch, but I will send this email 
out and go from there. Expect more emails from me today and tomorrow, mvv 



A few points that we need to touch on. I will write down its current 
state, and you can let me know if you have any concerns. 

- Elias: when would you be available for a meeting? This afternoon or 
tomorrow? How was your move? 

- Craig/Eli as: is Monday appropriate for meetings? Next Monday ok for the 
both of you? 

- Hardware: Here's the current situation: 

energon (external: 207.34.103.195, internal: 10.0.2.1) 
SSH gateway, running RedHat 8.0, KVM Switch ID 7 

fury (internal: 10.0.2.12) 
IRC, documents store, cvs 
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Running RedHat 8.0, kvm Switch ID 1 

megatron (internal: 10.0.2.5) 
MS SQL 

Running w2k server, KVM switch ID 3 

axe (internal : 10.0.2.6) 
Development box 

Running RedHat 8.0, KVM Switch ID 2 

grimlock (internal: 10.0.2.3) 
VMware host 

Running RedHat 8.0, KVM Switch ID 5 

I will add one box to dedicate it to network processing, is that 
appropriate? What else do you need? 

- Project plan: The AQS has been promoted to a official Symantec 
deliverable, which means I have to provide additional information, 
including a timeline, for the project. 

I'm assembling the requirements, and creating a timeline for this. I will 
send a very rough sketch of it this afternoon, for you to review. Would it 
be possible for you to review those dates, and modify/buy off on them? 



I apologize if those are non-technical issues, but that's what I'm tackled 
with right now. Let me know if you have any concerns or questions. 

Mario 



D 

$Al tNameLanguageTags : 
inheritedReplyTo: 

inheritedFrom: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
inheritedAltFrom: CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 
inheri tedFromDomai n : 

AltFrom: CN=Mario van vel zen/ou=Cal gary/OU=Al berta/0=SYMANTEC 
Logo: stdNotesLtrO 
Sign: 0 
Encrypt: 1 

DefaultMailsaveOptions: 1 
Query_String: 

Principal: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 

Subject: Re: Network Space 

SsealData: 

SendTo: CN=Elias Levy/ou=Redwood Ci ty/ ou=cal / o=symantec@symantec 
CopyTo : CN=Crai g Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC@SYMANTEC 
inetSendTo : el i as_l evy@symantec . com 
inetCopyTo : crai g_davi son@symantec . com 
$StorageTo: 1 
$StorageCc: 1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Mario Van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
iNetFrom : mari o_vanvel zenSsymantec . com 
SupdatedBy: CN=Mario van 

vel zen/ou=cal gary/ou=Al berta/o=SYMANTEC , cn=uscu-mail01-1/ou=globe-admin/o=symantec 
$MessagelD : <OF38FD60B8 . 8B69BE9B-ON87256CAF . 006BCC19-87256CAF . 006E018D@Local Domai n> 
PostedDate: 01/15/2003 12:51:49 PM 
$Seal : 

$Orig: 38FD60B88B69BE9B87256CAF006BCC19 
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Categories: 
$Revisions: 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/15/2003 12:51:50 PM-01/15/2003 12:51:51 PM 
$MsgTrackFlags : 0 

DeliveredDate: 01/15/2003 12:51:51 PM 

Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-2.symantec.com (Lotus Domino Release 5.0.11) with SMTP id 

2003011511574948:1042566 ; Wed, 15 Dan 2003 11:57:49 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3.0.0.44ccantisp8) with SMTP id 
M2003011512011112501 for <craig_Davi son@notes . Symantec . com> ; wed, 15 Jan 2003 
12:01:11 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011512011328654 for 

<Craig_Davison@notes. Symantec. com>; wed, 15 Jan 2003 12:01:13 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8.12.2+Sun/8.12.2) with SMTP id hOFKlDbl005750 for 

<Craiq_Davison@symantec.com>; Wed, 15 Jan 2003 12:01:13 -0800 (PST) 

Received: (qmail 28305 invoked by uid 1016); 15 Jan 2003 19:51:07 -0000 

Del i vered_To : cd@securi tyf ocus . com 

Received: (qmail 28296 invoked by uid 101); 15 Jan 2003 19:51:07 -0000 
PostedDate: 01/15/2003 12:51:07 PM 
From: alephl@securityfocus.com 

SendTo: Mario van velzen <mvelzen@securityfocus.com> 
CopyTo: Craig Davison <cd@securityfocus.com> 
Subject: Re: email for discussion 

$MessagelD : <20030115195107 . GB3819@securi tyf ocus . com> 

References : <Pi ne . LNX . 4 . 43 . 0301151054540 . 1254-100000@mai 1 . securi tyf ocus . com> 
MIME_Version: 1.0 „ 

ln_Repl y_To : <Pi ne . LNX . 4 . 43 . 0301151054540. 1254-100000@mai 1 . securi tyf ocus . com> 
$MiMETrack: itemize by SMTP server on uscu-SMTPiB01-2/GLOBE-ADMiN/SYMANTEC(Rel ease 
5 0.11 I Jul y 24, 2002) at 01/15/2003 11:57:49 AM, MIME-CD by Notes Client on Craig 
Davison/Enterprise(Release 6.0.2CF1I June 9, 2003) at 02/27/2009 12:49:19 pm,mime-cd 
complete at 02/27/2009 12:49:19 PM 
SMTPOri gi nator : al ephlOsecuri tyf ocus . com 
RoutingState: 

SupdatedBy: ,cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 
Routeservers: .. , 

CN=USCU-SMTPIB01-2/OU=GLOBE-ADMIN/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMAN 

RouteTimes: 01/15/2003 12:57:49 PM-01/15/2003 12:57:51 PM, 01/15/2003 12:54:25 

PM-01/15/2003 12:54:25 PM 

$Orig: AA72BC0C48EB503B88256CAF006DAA04 

Categories: 

$Revisions: 

SMsgTrackFlags: 0 

DeliveredDate: 01/15/2003 12:54:25 PM 

* Mario van velzen (mvelzen@securityfocus.com) [030115 19:15]: 

> Hi there, 

> PS: There's a few more points I need to touch, but I will send this email 

> out and go from there. Expect more emails from me today and tomorrow, mvv 
> 

> A few points that we need to touch on. I will write down its current 

> state, and you can let me know if you have any concerns. 

> - Eli as: when would you be available for a meeting? This afternoon or 

> tomorrow? How was your move? 
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Mostly done, but I've found out that the phone wiring inside the house 
is crazy. I haven't been able to get a phone line until now. Best call 
me on my cell phone. I am available this afternoon if you need me to be 
it would be best for me tomorrow. 

> - craig/Elias: Is Monday appropriate for meetings? Next Monday ok for the 

> both of you? 

Yes. 



> 

> - Hardware: Here's the current situation: 

> energon (external: 207.34.103.195, internal: 10.0.2.1) 

> SSH gateway, running RedHat 8.0, KVM Switch ID 7 

> 

> fury (internal: 10.0.2.12) 

> IRC, documents store, CVS 

> Running RedHat 8.0, KVM Switch ID 1 

> 

> megatron (internal: 10.0.2.5) 

> MS SQL 

> Running W2K Server, KVM Switch ID 3 
> 

> axe (internal: 10.0.2.6) 

> Development box 

> Running RedHat 8.0, KVM Switch ID 2 

> 

> grimlock (internal: 10.0.2.3) 

> VMware host 

> Running RedHat 8.0, KVM switch ID 5 

> 

> I will add one box to dedicate it to network processing, is that 

> appropriate? What else do you need? 

How is axe different from grimlock? we need one box for the actual 
VMware service, one box for the honey pot support services (DNS, DHCP), 
one box for the NAT system, one box for port scanning, and one box 
for malware oracle. 
> 

> - Project plan: The AQS has been promoted to a official Symantec 

> deliverable, which means I have to provide additional information, 

> including a timeline, for the project. 

> I'm assembling the requirements, and creating a timeline for this. I will 

> send a very rough sketch of it this afternoon, for you to review, would 
it 

> be possible for you to review those dates, and modify/buy off on them? 
Tonight, yes. 

> I apologize if those are non-technical issues, but that's what I'm 
tackled 

> with right now. Let me know if you have any concerns or questions. 
> 

> Mario 



Eli as Levy 

Symantec 

A lea jacta est 
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InetsendTo : mari o_vanvel zen@symantec . com 

InetCopyTo : crai g_davi son@symantec . com , el i as_l evy@symantec . com 
$StorageTo: 1 
$StorageCc: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

Page 5 



5-g.txt 

From: CN=Elias Levy/OU=Redwood/OU=cal /0=symantec 
iNetFrom: eTias_Tevy@symantec.com 

$MessagelD : <0FEB179A7D . 931F96D1-ON88256CAF . 006E96D2-882 56CAF . 006EE870@LocaT Domai n> 

PostedDate: 01/15/2003 01:04:49 PM 

$SeaTData: 

Sign: 0 

$seaT : 

$UpdatedBy: CN=ETias 

Levy/ou=Redwood/ou=caT /o=symantec , CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Orig: EB179A7D931F96D188256CAF006E96D2 
Categories: 
$Revi sions: 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/15/2003 01:04:52 PM-01/15/2003 01:04:53 PM 
$MsgTrackFTags : 0 

DeTiveredDate: 01/15/2003 01:04:53 PM 



Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-2.symantec.com (Lotus Domino ReTease 5.0.11) with SMTP id 

2003011513401000:1049644 ; Wed, 15 Jan 2003 13:40:10 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3 .0.0.44ccantisp8) with SMTP id 
M2003011513433326116 for <Crai g_Davi son@notes . Symantec . com> ; Wed, 15 Jan 2003 
13:43:33 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011513433421026 for 

<Crai g_Davi son@notes . Symantec . com> ; Wed, 15 Jan 2003 13:43:34 -0800 

Received: from securityfocus.com (maiT.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8 . 12 . 2+Sun/8 . 12 . 2) with SMTP id hOFl_hXbl027233 for 

<Craig_Davison@symantec.com>; Wed, 15 Jan 2003 13:43:34 -0800 (PST) 

Received: (qmaiT 18063 invoked by uid 1016); 15 Jan 2003 21:33:27 -0000 

DeT i vered_To : cd@secu ri tyf ocus . com 

Received: (qmail 18055 invoked by uid 1053); 15 Jan 2003 21:33:27 -0000 

PostedDate: 01/15/2003 02:33:27 PM 

From: Mario van veTzen <mveT zen@securi tyf ocus . com> 

SendTo: aTephl@securityfocus.com 

CopyTo: Craig Davi son <cd@securityfocus . com> 

Subject: Re: emaiT for discussion 

ln_RepTy_To: <20030115195107 .GB3819@securi tyf ocus . com> 

$MessagelD : <Pi ne . LNX . 4 . 43 . 0301151429110 . 1254-100000@mai T . secu ri tyf ocus . com> 
MlME_Version: 1.0 

$MiMETrack: itemize by SMTP Server on uscu-SMTPiB01-2/GLOBE-ADMlN/SYMANTEC(Rel ease 
5.0.11 UuTy 24, 2002) at 01/15/2003 01:40:10 PM, mime-CD by Notes cTient on Craig 
Davi son/Enterprise(ReT ease 6.0.2CFl| June 9, 2003) at 02/27/2009 12:49:19 pm.mime-CD 
compTete at 02/27/2009 12:49:19 PM 
SMTPOri gi nator : mveT zen@securi tyf ocus . com 
Routingstate: 

SupdatedBy: ,cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 
Routeservers: 

cn=uscu-smtpib01-2/ou=globe-admin/o=symantec,cn=uscu-mail01-i/ou=globe-admin/o=syman 
tec 

RouteTimes: 01/15/2003 02:40:10 PM-01/15/2003 02:40:11 PM, 01/15/2003 02:36:45 

PM-01/15/2003 02:36:46 PM 

$Orig: 2D56674769D61F4188256CAF007708AA 

Categori es : 

$Revi sions: 

$MsgTrackFTags: 0 

DeTiveredDate: 01/15/2003 02:36:46 PM 
Greetings , 

> > - ETias: When wouTd you be avaiTabTe for a meeting? This afternoon or 

Page 6 



5-g.txt 

> > tomorrow? How was your move? 

> Mostly done, but I've found out that the phone wiring inside the house 

> is crazy. I haven't been able to get a phone line until now. Best call 

> me on my cell phone. I am available this afternoon if you need me to be 

> it would be best for me tomorrow. 

Tomorrow is good. 2pm mst = 1pm PST appropriate for everyone? 

> > - craig/Elias: Is Monday appropriate for meetings? Next Monday ok for 
the 

> > both of you? 
> 

> Yes. 

Again, 2pm MST? 
Thanks , 

Mario 



Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-2.symantec.com (Lotus Domino Release 5.0.11) with SMTP id 

2003011514232846:1052662 ; Wed, 15 Jan 2003 14:23:28 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3.0.0.44ccantisp8) with SMTP id 
M2003011514265125255 for <Craig_Davi son@notes . Symantec . com> ; wed, 15 Jan 2003 
14:26:51 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011514265228277 for 

<Craig_Davison@notes. Symantec. com>; wed, 15 Jan 2003 14:26:52 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8.12.2+Sun/8.12.2) with SMTP id hOFMQqbl006330 for 

<Crai g_Davi sonOsymantec . com> ; Wed, 15 Jan 2003 14:26:52 -0800 (PST) 

Received: (qmail 30348 invoked by uid 1016); 15 Jan 2003 22:16:45 -0000 

Del i vered_To : cdOsecuri tyf ocus . com 

Received: (qmail 30335 invoked from network); 15 Jan 2003 22:16:45 -0000 
Received: from navgwout.symantec.com (198.6.49.12) by mail.securityfocus.com with 
SMTP; 15 Jan 2003 22:16:45 -0000 

Received: from navgwout.symantec.com (navgwout [198.6.49.12]) by 
navgwout.symantec.com (8 . 9. 3+Sun/8 . 9. 3) with SMTP id OAA10328; wed, 15 Jan 2003 
14:26:50 -0800 (PST) 

Received: from mailer.symantec.com ([198.6.49.176]) by navgwout.symantec.com 
(SAVSMTP 3.0.1.45) with SMTP id M2003011514264929028 ; Wed, 15 Jan 2003 14:26:49 
-0800 

Received: from uscu-smtpob01-l.symantec.com (uscu-smtpob01-l.symantec.com 

[155.64.74.130]) by mailer.symantec.com (8 . 11. 6+Sun/8 . 11. 6) with ESMTP id 

hOFMQnBl0884; Wed, 15 Jan 2003 14:26:49 -0800 (PST) 

Subject: Re: email for discussion 

SendTo: Mario van velzen <mvelzen@securi tyf ocus. com> 

CopyTo: alephl@securityfocus.com, Craig Davison <cd@securityfocus . com> 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessageiD: 

<OF5BlOD4Bl.827CAl48-ON87256CAF.007B8AEA-87256CAF.007B8FFE@symantec.COm> 
From: "Craig Davison" <craig_davison@symantec.com> 
PostedDate: 01/15/2003 03:29:37 PM 
MlME_Version: 1.0 

$MiMETrack: Serialize by Router on uscu-SMTPOB01-l/GLOBE-ADMiN/SYMANTEC(Rel ease 
5.0.11 |July 24, 2002) at 01/15/2003 02:35:24 PM, itemize by SMTP Server on 
USCU-SMTPIB01-2/GLOBE-ADMIN/SYMANTEC(Release 5.0.11 | July 24, 2002) at 01/15/2003 

02:23:28 PM, MIME-CD by Notes Client on Craig Davison/Enterprise(Release 
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6.0.2CF1I June 9, 2003) at 02/27/2009 12^49^19 PM, MIME-CD complete at 02/27/2009 
12:49:19 PM 

SMTPOri gi nator : crai g_davi son@symantec . com 

SupdatedBy^ 6 ' , cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 

CN=USCU-SMTpiB01-2/OU=GLOBE-ADMIN/O=SYMANTEC,CN=USCU-MAIL01^ 

..juteTimes: 01/15/2003 03 
PM-01/15/2003 03:20:04 PM 
$Ori g : 0E5F1ED776C0224D88256CAF007AFFAE 
Categories: 
$Revi sions : 
$MsgTrackFlags: 0 

DeliveredDate: 01/15/2003 03:20:04 PM 
Yep. 



Mario van velzen 
<mvelzen@security 
focus . com> 

2003-01-15 02:33 



I to: 

al ephl@secun tyfocus . com 

| cc: Craig Davison 

<cd@securi tyfocus. com> 

| subject: Re: email for 

discussion 
I 



Greetings, 

> > - Eli as: When would you be available for a meeting? This afternoon or 

> > tomorrow? How was your move? 

> Mostly done, but I've found out that the phone wiring inside the house 

> is crazy. I haven't been able to get a phone line until now. Best call 

> me on my cell phone. I am available this afternoon if you need me to be 

> it would be best for me tomorrow. 

Tomorrow is good. 2pm MST = 1pm PST appropriate for everyone? 

> > - Craig/Eli as: Is Monday appropriate for meetings? Next Monday ok for 
the 

> > both of you? 
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> Yes. 

Again, 2pm MST? 
Thanks , 
Mario 



Received: from uscu-navgw3.symantec.com ([155.64.1.176]) by 
uscu-smtpib01-2.symantec.com (Lotus Domino Release 5.0.11) with SMTP id 

2003011520302439:1071989 ; Wed, 15 Jan 2003 20:30:24 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3.0.0.44ccantisp8) with SMTP id 
M2003011520334503645 for <Crai g_Davi son@notes . Symantec . com> ; Wed, 15 Dan 2003 
20:33:45 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011520334806884 for 

<Craig_Davison@notes. Symantec. com>; Wed, 15 Jan 2003 20:33:48 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8.12.2+sun/8.12.2) with SMTP id hOG4xmbl007023 for 

<Craig_Davison@symantec.com>; wed, 15 Jan 2003 20:33:48 -0800 (PST) 

Received: (qmail 10204 invoked by uid 1016); 16 Jan 2003 04:23:39 -0000 

Del i vered_To : cd@securi tyfocus . com 

Received: (qmail 10196 invoked by uid 101); 16 Jan 2003 04:23:39 -0000 
PostedDate: 01/15/2003 09:23:39 PM 
From: alephl@securityfocus.com 

SendTo: Mario van velzen <mvelzen@securityfocus.com> 
copyTo: Craig Davison <cd@securi tyfocus . com> 
Subject: Re: email for discussion 

SMessagelD: <20030116042339 . GB9221@securi tyfocus . com> 
References : <20030115195107 . GB3819@securi tyfocus . com> 
<Pi ne . LNX . 4 . 43 . 0301151429110 . 12 54-100000@mai 1 . securi tyfocus . com> 
MlME_Version: 1.0 

ln_Repl y_To : <Pi ne . LNX .4.43. 0301151429110 . 12 54-100000@mai 1 . secu ri tyfocus . com> 
$MlMETrack : itemize by SMTP Server on uscu-SMTPlB01-2/GLOBE-ADMiN/SYMANTEC(Rel ease 
5.0.11 | July 24, 2002) at 01/15/2003 08:30:24 PM, MIME-CD by Notes Client on Craig 
Davison/Enterprise(Release 6.0.2CFl| June 9, 2003) at 02/27/2009 12:49:19 PM, MIME-CD 
complete at 02/27/2009 12:49:19 PM 
SMTPOrigi nator : alephl@securi tyfocus . com 
RoutingState: 

$updatedBy: ,cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 
RouteServers : 

cn=uscu-smtpib01-2/ou=globe-admin/o=symantec,cn=uscu-mail01-1/ou=globe-admin/o=syman 

TEC 

RouteTimes: 01/15/2003 09:30:24 PM-01/15/2003 09:30:25 PM, 01/15/2003 09:26:58 

PM-01/15/2003 09:26:59 PM 

$Ori g : DDEA728D686296C388256CB00018C1A8 

Categories: 

$Revi sions : 

$MsgTrackFlags: 0 

DeliveredDate: 01/15/2003 09:26:59 PM 

* Mario van velzen (mvelzen@securityfocus.com) [030115 21:33]: 

> Greetings, 

> 

Page 9 



5-g.txt 

> > > - Eli as: when would you be available for a meeting? This afternoon or 

> > > tomorrow? How was your move? 

> > Mostly done, but I've found out that the phone wiring inside the house 

> > is crazy. I haven't been able to get a phone line until now. Best call 

> > me on my cell phone. I am available this afternoon if you need me to be 

> > it would be best for me tomorrow. 

> Tomorrow is good. 2pm MST = 1pm PST appropriate for everyone? 

> > > - craig/Elias: Is Monday appropriate for meetings? Next Monday ok 
for the 

> > > both of you? 

> > 

> > Yes. 
> 

> Again, 2pm MST? 
Yes. 



> Thanks, 
> 

> Mario 



Eli as Levy 

Symantec 

Alea jacta est 



Principal: CN=Mario Van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
Slangprincipal : 

$altprincipal : CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 

$FILE : 

AltFrom: CN=Mario van vel zen/OU=Cal gary/OU=Al be rta/ o=SYMANTEC 
Logo: StdNotesLtrO 
useApplet: True 
Sign: 0 

DefaultMailsaveOptions: 1 
Query_String: 

Subject: task list for project plan 

SendTo : CN=Crai g Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC@SYMANTEC , CN=El i as 
Levy/ou=Redwood ci ty/ou=cal /o=symantec@symantec 
CopyTo : 

inetSendTo : crai g_davi son@symantec . com , el i as_l evy@symantec . com 

inetCopyTo: 

$StorageTo: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessagelD : <OF4B9CA53F . 1B08CD6A-ON87256CB0 . 0073719D-87256CB0 . 00738E42@Local Domai n> 

From: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 

iNetFrom: mario_vanvelzen@symantec. com 

PostedDate: 01/16/2003 02:02:10 PM 

Encrypt: 

RoutingState: 

SupdatedBy: CN=Mario van 

Velzen/OU=Calgary/OU=Alberta/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 

$Orig: 4B9CA53F1B08CD6A87256CB00073719D 

Categories: 

$Revisions: 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/16/2003 01:52:32 PM-01/16/2003 01:52:33 PM 
$MsgTrackFlags: 0 
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5-g.txt 

DeliveredDate: 01/16/2003 01:52:33 PM 
Hi there, 

Attached you will find an outline project plan, with a number of dates 
associated with them. We will discuss this at the meeting. 

Thanks ! 

Mario 



principal: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
$langprincipal : 

$altprincipal : CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 
$Autospell: 1 

AltFrom: CN=Elias Levy/ou=Redwood/OU=cal/0=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Encrypt: 1 

DefaultMailSaveOptions: 1 

Query_Stri ng : 

Subject: Training dates 

$SealData: 

$SealData: 

SendTo: CN=Mario van velzen/OU=Calgary/ou=Alberta/0=SYMANTEC(asYMANTEC,CN=Craig 

Davison/ou=Calgary/OU=Alberta/o=SYMANTEC@SYMANTEC 

CopyTo: . 

inetSendTo : mari o_vanvel zen@symantec . com , crai g_davi son@symantec . com 

inetCopyTo: 

SstorageTo: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/OU=Redwood/OU=cal/0=SYMANTEC 
iNetFrom: elias_levy@symantec.com 

$MessagelD: <OF6292EF66.C075D624-ON88256CBl.0005207A-88256CBl.000552C8@LocalDomai i> 

PostedDate: 01/16/2003 05:51:33 PM 

SsealData: 

Sign: 0 

$seal : 

SupdatedBy: CN=Elias 

Levy/ou=Redwood/ou=cal /o=symantec , cn=uscu-mail01-1/ou=globe-admin/o=symantec 
$Orig: 6292EF66C075D62488256CB10005207A 
categories: 
$Revi sions: 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/16/2003 05:51:33 PM-01/16/2003 05:51:33 PM 
$MsgTrackFlags: 0 

DeliveredDate: 01/16/2003 05:51:33 PM 

D 

principal: CN=Elias Levy/OU=Redwood/ou=Cal/0=SYMANTEC 
$langprincipal : 

$altprincipal : CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 
$AutoSpell : 1 

AltFrom: CN=Elias Levy/OU=Redwood/ou=Cal/o=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Encrypt: 1 

DefaultMailSaveOptions: 1 
Query_String: 
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5-g.txt 

Subject: Malware Oracle 

$SealData: 

$sealData: 

SendTo: CN=Mario van veTzen/ou=calgary/ou=Alberta/o=SYMANTEC@SYMANTEC,CN=craig 

Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC@SYMANTEC 

CopyTo: 

inetSendTo : man" o_vanvel zen@symantec . com , crai g_davi son@symantec . com 

inetCopyTo: 

SstorageTo: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=E"lias Levy/ou=Redwood/ou=Cal/0==SYMANTEC 
iNetFrom: el i as_l evy@symantec . com 

$MessageID: <OF85BF85F5 . 588B940A-ON88256CBl.0006A7CD-88256CBl.0007lACl@LocalDomain> 

PostedDate: 01/16/2003 06:11:00 PM 

SsealData: 

Sign: 0 

$Seal : 

SupdatedBy: CN=Elias 

Levy/OU=Redwood/OU=Cal/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Orig: 85BF85F5588B940A88256CB10006A7CD 
categories: 
$Revn sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/16/2003 06:11:00 PM-01/16/2003 06:11:00 PM 
$MsgTrackFlags: 0 

DeliveredDate: 01/16/2003 06:11:00 PM 

□ 

$FILE : 

$AutoSpeT1: 1 

$Al tNameLanguageTags : 

Inheri tedRepI yTo : 

inheritedFrom: CN=Mario van velzen/OU=Calgary/ou=Alberta/0=SYMANTEC 
inheri tedAltFrom: CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 
Inheri tedFromDomai n : 

AltFrom: CN=Elias Levy/ou=Redwood/OU=CaT/o=SYMANTEC 
Logo: stdNotesLtrO 
Encrypt : 1 

DefaultMailSaveOptions : 1 
Query_String: 

Principal: CN=Elias Levy/0U=Redwood/OU=Cal/O=SYMANTEC 
Subject: Re: task list for project plan 

SendTo: CN=Mario Van vel zen/OU=Cal gary/OU=Al berta/0=SYMANTEC@SYMANTEC 
copyTo : CN=crai g Davi son/ou=cal gary/ou=Al berta/o=SYMANTEC@SYMANTEC , CN=El i as 
Levy/ou=Redwood Ci ty/ou=cal /o=SYMAntec@symantec 
InetSendTo : mari o_vanvel zen@symantec . com 

InetCopyTo : crai g_davi son@symantec . com , el i as_l evy@symantec . com 
SstorageTo: 1 
Sstoragecc: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/ou=Redwood/ou=cal /o=symantec 
INetFrom : el i as_l evy@symantec . com 

$MessagelD : <OFF2C406DC . B4845282-ON882 56CB1 . 0009A401-88256CB1 . 0009FCC4@Local Domai n> 
PostedDate: 01/16/2003 06:42:25 PM 
$Si gnature : 
Sign: 0 
$Seal : 

Routingstate: 
SupdatedBy: CN=Elias 

Levy/ou=Redwood/ou=cal /o=symantec , cn=uscu-mail01-1/ou=globe-admin/o=symantec 
$Orig: F2C406DCB484528288256CB10009A401 
Categories: 
$Revi sions: 
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5-g.txt 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/16/2003 06:42:34 PM-01/16/2003 06:42:36 PM 
$MsgTrackFlags: 0 

DelfveredDate: 01/16/2003 06:42:36 PM 

Please switch the Inquisitor FSD with the Malware Oracle one. Remove the 
SND/DIS FSD, and replace the date for the Malware Oracle FSD with the 2/21 
date. I hope it won't take that long but at this time the Malware Oracle 
is a wild card, until I learn more from Symantec we better use this latter 
date. 

Eli as Levy 

Symantec 

Alea jacta est 



Mario van velzen 
01/16/2003 01:02 PM 

To: Craig Davi son/Cal gary/Al berta/SYMANTEC@SYMANTEC , Eli as 

Levy/Redwood 

Ci ty/Cal / SYMANTEC@SYMANTEC 
cc: 

Subject: task list for project plan 

Hi there, 

Attached you will find an outline project plan, with a number of dates 
associated with them, we will discuss this at the meeting. 

Thanks ! 

Mario 



$AutoSpell: 1 

$Al tNameLanguageTags : 

inheritedReplyTo: 

inheritedFrom: CN=Craig Davison/OU=Calgary/OU=Alberta/0=SYMANTEC 
inheritedAltFrom: CN=Ben Baker/OU=Eugene/OU=Oregon/0=SYMANTEC 
inheri tedFromDomai n : 

AltFrom: CN=Elias Levy/ou=Redwood/OU=cal/o=SYMANTEC 
Logo: stdNotesLtrO 
Encrypt: 1 

DefaultMailsaveOptions: 1 
Query_String: 

Principal: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 

Subject: Re: HoneyPotAddresses 

$sealData: 

SendTo : CN=crai g Davi son/ou=Cal gary/ou=Al berta/ o=symantec@SYMANTEC 
CopyTo: CN=Elias Levy/ou=Redwood ci ty/ ou=cal / o=SYMANTEC@SYMANTEC 
inetSendTo : crai g_davi son@symantec . com 
inetCopyTo : el i as_l evyOsymantec . com 
$StorageTo: 1 
$StorageCc: 1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/ou=Redwood/ou=cal/o=SYMANTEC 
iNetFrom : el i as_l evyOsymantec . com 
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5-g.txt 

$MessageID: <OF458324BF.C348FF01-ON88256CBl.0066F4F3-88256CBl.0067279D@Local Domai n> 

PostedDate: 01/17/2003 11:40:07 AM 

SsealData: 



$updatedBy: CN=Elias 

Levy/ou=Redwood/ou=Cal /o=symantec , cn=uscu-mail01-1/ou=globe-admin/o=symantec 
$0n'g: 458324BFC348FF0188256CB10066F4F3 
Categories: 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/17/2003 11:40:14 AM-01/17/2003 11:40:15 AM 
SMsgTrackFlags: 0 

DeliveredDate: 01/17/2003 11:40:15 AM 



principal: CN=Elias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
$langprincipal : 

Saltprincipal : CN=Ben Baker/OU=Eugene/OU=oregon/0=SYMANTEC 
$AutoSpell: 1 

AltFrom: CN=Elias Levy/ou=Redwood/OU=cal/o=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Encrypt: 1 

DefaultMailSaveOptions: 1 
Query_String: 

Subject: AQS/DIS integration 

SsealData: 

$SealData: 

SendTo : CN= 3 i m Hill /OU=Beave rton / OU=Oregon/ o=SYMANTEC@SYMANTEC 
CopyTo : 

inetSendTo: jhilKasymantec.com 

inetCopyTo: 

$StorageTo: 0 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/OU=Redwood/OU=cal/o=SYMANTEC 
iNetFrom : el i as_l evyOsymantec . com 

SMessagelD : <OFAA942 5CC . 2C017B58-ON88256CB1 . 007055B5-882 56CB1 . OQ719c08@Local Domai n> 

PostedDate: 01/17/2003 01:34:19 PM 

SsealData: 

Sign: 0 

$Seal : 

SupdatedBy: CN=Elias 

Levy/ou=Redwood/ou=cal /o=symantec , cn=uscu-mail01-1/ou=globe-admin/o=symantec 
$Orig: AA9425CC2C017B5888256CB1007055B5 
categories: 
$Revi sions: 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/17/2003 01:34:26 PM-01/17/2003 01:34:27 PM 
$MsgTrackFlags: 0 

DeliveredDate: 01/17/2003 01:34:27 PM 

Bl i ndCopyTo : CN=Crai g Davi son/ou=Cal gary/ou=Al berta/0=SYMANTEC 
inetBl i ndCopyTo : crai g_davi sonOsymantec . com 
$StorageBcc: 1 



Principal: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
Slangprincipal : 

$altprincipal : CN=Ben Baker/ou=Eugene/ou=oregon/0=SYMANTEC 
AltFrom: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
Logo: StdNotesLtrO 
useApplet: True 
Sign: 0 
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5-g.txt 

DefaultMailSaveOptions: 1 
Query_String: 

Subject: comments on timeline? 

SendTo: CN=Craig . n 

Davi son/ou=Cal gary/ou=Al be rta/ o=symantec@symantec , cdOsecun tyf ocus . com 

CopyTo: 

inetSendTo : crai g_davi son@symantec . com , . 

inetCopyTo: 

SstorageTo: 1,. 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessagelD: <OF8DD57233 . 6C442621-ON87256CB3 .007E1244-87256CB3 . 007E263A@Local Domai n> 

From: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 

iNetFrom : man* o_vanvel zen@symantec . com 

PostedDate: 01/19/2003 03:57:53 PM 

Encrypt: 

SupdatedBy: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
$Orig: 8DD572336C44262187256CB3007E1244 
Categori es : 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/19/2003 03:47:57 PM-01/19/2003 03:47:58 PM 
$MsgTrackFlags: 0 

DelTveredDate: 01/19/2003 03:47:58 PM 
Hi there, 

I still have not received your comments/edits on the timeline. Can you 
send them to me first thing Monday morning? 



Received: from uscu-navgw3 . Symantec . com ([155.64.1.176]) by 
uscu-smtpi b01-2 . Symantec . com (Lotus Domino Release 5 .0. 11) with SMTP id 

2003011914551181: 1171783 ; Sun, 19 Jan 2003 14:55:11 -0800 

Received: from uscu-navieg.symantec.com ([155.64.1.175]) by 
uscu-navgw3.symantec.com (SAVSMTP 3 .0.0.44ccantisp8) with SMTP id 
M2003011914583512568 for <Crai g_Davi sonOnotes . Symantec . com> ; Sun, 19 Jan 2003 
14:58:35 -0800 

Received: from excu-mxib-l.symantec.com ([198.6.49.87]) by uscu-navieg.symantec.com 

(SAVSMTP 3.0.1.45) with SMTP id M2003011914583716371 for 

<Craig_Davison@notes. Symantec. com>; Sun, 19 Jan 2003 14:58:37 -0800 

Received: from securityfocus.com (mail.securityfocus.com [205.206.231.9]) by 

excu-mxib-l.symantec.com (8.12.2+Sun/8.12.2) with SMTP id hOJMwzbl012477 for 

<Craig_Davison@symantec.com>; Sun, 19 Jan 2003 14:58:35 -0800 (PST) 

Received: (qmail 18752 invoked by uid 1016); 19 Jan 2003 22:47:57 -0000 

Del i vered_To : cd@secu ri tyf ocus . com 

Received: (qmail 30251 invoked from network); 19 Jan 2003 22:44:17 -0000 
Received: fromnavgwout.symantec.com (198.6.49.12) by mai 1 . securi tyfocus . com wi th 
SMTP; 19 Jan 2003 22:44:17 -0000 

Received: from navgwout.symantec.com (navgwout [198.6.49.12]) by 
navgwout.symantec.com (8 . 9. 3+Sun/8 . 9. 3) with SMTP id OAA00293 for 
<cd@securi tyf ocus. com>; Sun, 19 Jan 2003 14:54:53 -0800 (PST) 
Received: from mailer.symantec.com ([198.6.49.176]) by navgwout.symantec.com 
(SAVSMTP 3.0.1.45) with SMTP id M2003011914545224590 for <cd@secu ri tyfocus . com> ; 
Sun, 19 Jan 2003 14:54:52 -0800 

Received: from uscu-smtpob01-l.symantec.com (uscu-smtpob01-l.symantec.com 
[155.64.74.130]) by mailer.symantec.com (8 . 11. 6+Sun/8 . 11. 6) with ESMTP id 

hOJMsqB20427 for <cd@securi tyfocus . com> ; Sun, 19 Jan 2003 14:54:52 -0800 (PST) 
Subject: comments on timeline? 
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j . y . x x l 

SendTo: "Craig Davison" <crai g_davi son@symantec . com> , cd@securi tyfocus . com 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessagelD: 

<OF8DD57233 . 6C442621-ON87256CB3 . 007E1244-87256CB3 . 007E263A@symantec . com> 
From: "Mario van velzen" <mario_vanvelzen@symantec.com> 
PostedDate: 01/19/2003 03:57:53 PM 

MlME_version: 1.0 , n 

$MlMETrack: serialize by Router on uscu~SMTPOB01-l/GLOBE-ADMlN/SYMANTEC(Rel ease 
5.0.11 I July 24, 2002) at 01/19/2003 03:03:31 PM, Itemize by SMTP Server on 
USCU-SMTPIB01-2/GLOBE-ADMIN/SYMANTEC(Release 5.0.11 | Duly 24, 2002) at 01/19/2003 
02:55:11 PM, MIME-CD by Notes Client on Craig Davi son/Enterpri se(Rel ease 
6.0.2CFl|Dune 9, 2003) at 02/27/2009 12:49:19 PM, MIME-CD complete at 02/27/2009 
12:49:19 PM 

SMTPOri gi nator : mari o_vanvel zen@symantec . com 
RoutingState: 

SupdatedBy: ,cn=uscu-smtpib01-2/ou=globe-admin/o=symantec 
RouteServers : 

CN=USCU-SMTPIB01-2/OU=GLOBE-ADMIN/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMAN 

RouteTimes: 01/19/2003 03:55:11 PM-01/19/2003 03:55:13 PM, 01/19/2003 03:51:45 

PM-01/19/2003 03:51:45 PM 

$Orig: C90952B70421B57888256CB3007DE72F 

Categori es : 

$Revi sions : 

$MsgTrackFlags: 0 

DeliveredDate: 01/19/2003 03:51:45 PM 
Hi there, 

I still have not received your comments/edits on the timeline. Can you send 
them to me first thing Monday morning? 

Thanks , 

Mari o 



□ 

$FILE : 
$Links: 

$Al tNameLanguageTags : 
inheritedReplyTo: 

inheri tedFrom : CN=Crai g Davi son/OU=Cal gary/OU=Al berta/0=SYMANTEC 
inheritedAltFrom: CN=Craig Davi son/OU=Calgary/OU=Al berta/0=SYMANTEC 
inheri tedFromDomai n : 

AltFrom: CN=Mario Van velzen/OU=Calgary/OU=Al berta/0=SYMANTEC 
Logo: stdNotesLtrO 
Sign: 0 

DefaultMailSaveOptions: 1 
Query_String: 

Principal: CN=Mario Van vel zen/ OU=Cal ga ry/ OU=Al be rta/ o=SYMANTEC 
Subject: Re: task list for project plan 

SendTo : CN=crai g Davi son/0U=Cal gary/OU=Al be rta/ o=SYMANTEC@SYMANTEC , CN=El i as 

Levy/ou=Redwood ci ty/ou=cal /o=symantec@symantec 

CopyTo: 

inetSendTo : crai g_davi sonOsymantec . com , el i as_l evy@symantec . com 

inetCopyTo: 

SstorageTo: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 

$MessagelD : <OF808E0AD3 . B9A0D1F2-ON87256CB4 . 00677E82-87256CB4 . 0067A249@Local Domai n> 
From: CN=Mario van velzen/ou=calgary/ou=Alberta/o=SYMANTEC 
iNetFrom: mari o_vanvel zen@symantec . com 
PostedDate: 01/20/2003 11:51:57 AM 
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5-g.txt 

Encrypt : 

RoutingState: 

SupdatedBy: CN=Mario van 

Velzen/OU=Calgary/OU=Alberta/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Ori g : 808E0AD3B9A0D1F287256CB4OO677E82 
Categories: 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/20/2003 11:42:33 AM-01/20/2003 11:42:34 AM 
$MsgTrackFlags: 0 

DeliveredDate: 01/20/2003 11:42:34 AM 
Hi there, 

Here is the updated calendar, with both your changes, and holidays added 
for both Canada and us sites. Are you all in agreement with the dates? 

Let me know either way. Thank you. 

Mario 



Craig Davison 
01/20/2003 10:35 AM 

to: Mario van Velzen/Calgary/Al berta/SYMANTEC@SYMANTEC 
cc: Eli as Levy/Redwood City/Cal/SYMANTEC@symantec 
Subject: Re: task list for project plan 

All the dates look fine to me except for: 

- Management console/ui. Although the ui is simple in this project , UI 
development is time-consuming and plenty of small things can go wrong . 
15 days? 

- inquisitor. This is a simpl e component, true, but I don't think 5 days 
is a safe estimate for any one piece of the project. 

8 days? 



Mario van velzen 
2003-01-16 02:02 PM 

To: Craig Davi son/ Cal gary/ Al berta/ SYMANTEC@SYMANTEC , Eli as 

Levy/Redwood 

Ci ty/Cal / SYMANTEC@SYMANTEC 
cc: 

Subject: task list for project plan 

Hi there, 

Attached you will find an outline project plan, with a number of dates 
associated with them, we will discuss this at the meeting. 

Thanks! 

Mario 
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$FILE : 

$Auto5pell: 1 
$Links: 

$Al tNameLanguageTags : 
inhen'tedReplyTo : 

inheritedFrom: CN=Mario van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
inheritedAltFrom: CN=Mario Van velzen/OU=Calgary/OU=Alberta/0=SYMANTEC 
inheritedFromDomai n: 

AltFrotn: CN=Elias Levy/OU=Redwood/ou=cal/o=SYMANTEC 
Logo: stdNotesLtrO 
Encrypt: 1 

DefaultMailsaveOptions: 1 
Query_String: 

Principal: CN=E~lias Levy/OU=Redwood/OU=Cal/0=SYMANTEC 
Subject: Re: task list for project plan 

sendTo: CN=Mario van velzen/ou=calgary/ou=Alberta/o=SYMANTEC@SYMANTEC 
CopyTo : CN=crai g Davi son/OU=cal gary/ou=Al be r ta/ o=symantec@symantec , CN=El i as 
Levy /ou=Redwood Ci ty/OU=cal /o=SYMANTEC@symantec 
inetSendTo : man" o_vanvel zen@symantec . com 

inetCopyTo : crai g_davi sonOsymantec . com , el i as_l evy@symantec . com 
$StorageTo: 1 
Sstoragecc: 1,1 

$Mailer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/OU=Redwood/ou=cal/o=SYMANTEC 
iNetFrom : el i as_l evy@symantec . com 

$MessagelD: <OF4D20F148 . 9B99A12B-ON88256CB4 . 00775F45-88256CB4 . 00778Bl3@Local Domai n> 

PostedDate: 01/20/2003 02:39:01 PM 

$Signature: 

Sign: 0 

$Seal : 

Routingstate: 
SupdatedBy: CN=Elias 

Levy/OU=Redwood/OU=Cal/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Orig: 4D20F1489B99A12B88256CB400775F45 
Categories: 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/20/2003 02:39:16 PM-01/20/2003 02:39:16 PM 
$MsgTrackFlags: 0 

DeliveredDate: 01/20/2003 02:39:16 PM 

in general it looks good. The only caveat is the time set aside for the 
malware oracle FSD. we need more information from Symantec. But for now is 
as good an estimate as any. 

Eli as Levy 

Symantec 

Alea jacta est 

Mario van velzen 
01/20/2003 10:51 AM 

to: Craig Davi son/Cal gary/Al berta/SYMANTEC@SYMANTEC , Eli as 

Levy/Redwood 

Ci ty/Cal / SYMANTEC@SYMANTEC 
cc: 

Subject: Re: task list for project plan 
Page 18 



5.g.txt 

Hi there, 

Here is the updated calendar, with both your changes, and holidays added 
for both Canada and US sites. Are you all in agreement with the dates? 

Let me know either way. Thank you. 

Mario 
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5-h.txt 

principal: CN=Elias Levy/ou=Redwood/ou=cal/o=SYMANTEC 
$langprincipal : 

Saltprincipal : CN=Ben Baker/0U=Eugene/OU=Oregon/o=SYMANTEC 
$AutoSpell: 1 

AltFrom: CN=Elias Levy/ou=Redwood/ou=Cal/o=SYMANTEC 
Logo: stdNotesLtrO 
useApplet: True 
Encrypt: 1 

DefaultMailSaveOptions: 1 

Query_String: 

Subject: AQS FSD vl.O 

SendTo: CN=Mario van velzen/OU=calgary/OU=Alberta/o=SYMANTEC@SYMANTEC,CN=Craig 
Davi son/OU=Cal gary/ou=Al be r ta/ o=symantec@SYMANTEC 

CopyTo: CN=oliver Friedrichs/ou=Redwood ci ty/ ou=Cal / o=SYMANTEC@SYMANTEC 
inetsendTo : mari o_vanvel zen@symantec . com, crai g_davi sonOsymantec . com 
inetCopyTo : ol i ver_f ri edri chslsymantec . com 
$StorageTo: 1,1 
$StorageCc: 1 

$MaiTer: Lotus Notes Release 5.0.9a January 7, 2002 
From: CN=Elias Levy/ou=Redwood/OU=cal /o=symantec 
iNetFrom: elias_levy@symantec.com 

$MessagelD: <OF6C65D981.4D3BF8ED-ON88256CB4.002554E6-88256CB4.005FB02C@LocalDomain> 

PostedDate: 01/20/2003 10:18:26 AM 

$Signature: 

Sign: 0 

Sseal : 

RoutingState: 
SupdatedBy: CN=Elias 

Levy/OU=Redwood/OU=Cal/O=SYMANTEC,CN=USCU-MAIL01-l/OU=GLOBE-ADMIN/O=SYMANTEC 
$Orig: 6C65D9814D3BF8ED88256CB4002554E6 
categories: 
$Revi sions : 

Routeservers : cn=uscu-mail01-1/ou=globe-admin/o=symantec 
RouteTimes: 01/20/2003 10:25:18 AM-01/20/2003 10:25:19 AM 

$MsgTrackFlags: 0 

DeliveredDate: 01/20/2003 10:25:19 AM 
Attached is the AQS FSD vl.O. 



Eli as Levy 

Symantec 

Alea jacta est 
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5 . i .ics 

BEGIN :VCALENDAR 
VERSION: 2.0 

PRODID: -//Apple lnc.//ical 4.0//EN 

CALSCALE: GREGORIAN 

BEGIN :VTIMEZONE 

TZID: US/Pacific 

BEGIN: STANDARD 

TZOFFSETFROM : -0700 

RRULE : FREQ=YEARLY ; UNTIL=20061029T090000Z ; BYMONTH=10 ; BYDAY=-lSU 

DTSTART:19621028T020000 

TZNAME : PST 

TZOFFSETTO:-0800 

END: STANDARD 

BEGIN: DAYLIGHT 

TZOFFSETFROM: -0800 

RRULE : FREQ=YEARLY; UNTIL=20060402T100000Z; BYMONTH=4; BYDAY=1SU 

DTSTART: 19870405T020000 

TZNAME : PDT 

TZOFFSETTO:-0700 

END: DAYLIGHT 

BEGIN: DAYLIGHT 

TZOFFSETFROM : -0800 

RRULE : FREQ=YEARLY ; BYMONTH=3 ; BYDAY=2SU 

DTSTART: 20070311T020000 

TZNAME : PDT 

TZOFFSETTO:-0700 

END: DAYLIGHT 

BEGIN: STANDARD 

TZOFFSETFROM: -0700 

RRULE : FREQ=YEARLY ; BYMONTH=ll ; BYDAY=lSU 

DTSTART: 20071104T020000 

TZNAME: PST 

TZOFFSETTO:-0800 

END: STANDARD 

END : VTIMEZONE 

BEGIN :VEVENT 

CREATED : 20080324T210223Z 
UID:D15987639 

DTEND ; TZID=US/Paci f i c : 20030219T140000 

RRULE : FREQ=WEEKLY; INTERVAL=1; UNTIL=20030418T065959Z ; BYDAY=WE 
TRANS P: OPAQUE 
SUMMARY :AQS meeting 

DTSTART ;TZID=US/Paci f i c : 20030219T130000 

DTSTAMP : 20061227T172209Z 

SEQUENCER 

END : VEVENT 

ENDlVCALENDAR 
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